DSW settles with FTC over security lapse involving credit cards

Shoe retailer DSW reached a settlement with the Federal Trade Commission last week over a privacy breach that allowed hackers to gain control of sensitive credit-card information of more than 1.4 million customers-among them FTC Chairman Deborah Platt Majoras.

The FTC charged that the discounter engaged in an illegal practice by failing to adequately protect consumer information; storing unneeded information; failing to encrypt sensitive information; requiring only a commonly known user ID and password; and lacking sufficient security to detect unauthorized access.

Ms. Majoras declined to comment.

Independent audits

The settlement requires DSW to implement a comprehensive information-security program and undergo independent security audits each year for 20 years.

DSW's privacy breach was disclosed earlier this year. Credit-card numbers and transaction information on purchases in 108 stores from mid-November 2004 through mid-February 2005 were accessed by hackers, though the information included no address or pin number information. Also taken was information about 96,000 check transactions that included checking account numbers and driver's license numbers, but no names and addresses.

The Ohio Attorney General earlier sued DSW, questioning whether the company had done enough to notify customers of the breach.

The FTC said that DSW's financial documents suggest the breach could expose the company to $6.5 million to $9.5 million in losses.